You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Albert Kam <mo...@gmail.com> on 2013/07/16 10:35:23 UTC
Remember user session for several weeks ?
If i remember correctly, public services like google usually offer the
ability to avoid the login process for 2 weeks.
This way, even with the tab closed, browser or even OS restart, the user
can still access the web page as the subject without having to re-login.
The question here is :
- To implement this in Apache Shiro, it's just about the session timeout
isnt it, something like globalSessionTimeout ? This way the session is
stored and kept alive for 2 weeks before timeout-ing by itself out of
inactivities.
- This is --not-- the same as the "Remember Me" feature of Shiro where the
authenticated and remembered are differentiated, correct ?
--
Do not pursue the past. Do not lose yourself in the future.
The past no longer is. The future has not yet come.
Looking deeply at life as it is in the very here and now,
the practitioner dwells in stability and freedom.
(Thich Nhat Hanh)
Re: Remember user session for several weeks ?
Posted by Fernando Camargo <fe...@gmail.com>.
Albert,
I think that this is the "Remember Me" feature of Shiro. It's correctly
differentiating the authenticated and remembered user. But, if you want,
you can let the remembered do the same things the authenticated can do.
Some of the known services differentiate and others don't. The amazon.com,
for example, let the remembered do some operations. But if the remembered
tries to do something that spends money, it requires that the user
authenticates. The Google doesn't differentiate, letting the remembered do
the same things. If you don't want to differentiate, just let the
remembered do the same things the authenticated can do.
Att,
2013/7/16 Albert Kam <mo...@gmail.com>
> If i remember correctly, public services like google usually offer the
> ability to avoid the login process for 2 weeks.
> This way, even with the tab closed, browser or even OS restart, the user
> can still access the web page as the subject without having to re-login.
>
> The question here is :
> - To implement this in Apache Shiro, it's just about the session timeout
> isnt it, something like globalSessionTimeout ? This way the session is
> stored and kept alive for 2 weeks before timeout-ing by itself out of
> inactivities.
> - This is --not-- the same as the "Remember Me" feature of Shiro where the
> authenticated and remembered are differentiated, correct ?
>
> --
> Do not pursue the past. Do not lose yourself in the future.
> The past no longer is. The future has not yet come.
> Looking deeply at life as it is in the very here and now,
> the practitioner dwells in stability and freedom.
> (Thich Nhat Hanh)
>
--
Fernando Camargo
Graduando em Engenharia de Computação - UFG
Oracle Certified Professional, Java SE 6 Programmer
Desenvolvedor de Software na Fibonacci Soluções Ágeis
Blog: http://fernandocamargoti.blogspot.com/
LinkedIn: http://br.linkedin.com/pub/fernando-camargo/26/21/286
Twitter: http://twitter.com/#!/fernandosst
Facebook: http://www.facebook.com/profile.php?id=100001958196379